This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new be7dc9c187 Remove references to the JNI methods
be7dc9c187 is described below
commit be7dc9c1876865ed9db4d03f1961ad37e0808a29
Author: remm <[email protected]>
AuthorDate: Wed Jan 3 20:40:20 2024 +0100
Remove references to the JNI methods
This probably diverged a bit now.
---
.../util/net/openssl/panama/OpenSSLContext.java | 29 ----------------------
.../util/net/openssl/panama/OpenSSLEngine.java | 5 +---
2 files changed, 1 insertion(+), 33 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index a1ae1a1b87..c79726fc76 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -273,10 +273,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// Longer session timeout
SSL_CTX_set_timeout(sslCtx, 14400);
- // From SSLContext.make, possibly set
ssl_callback_ServerNameIndication
- // From SSLContext.make, possibly set ssl_callback_ClientHello
- // Probably not needed
-
// Set int pem_password_cb(char *buf, int size, int rwflag, void
*u) callback
SSL_CTX_set_default_passwd_cb(sslCtx,
SSL_CTX_set_default_passwd_cb$cb.allocate(new
PasswordCallback(null), contextArena));
@@ -352,7 +348,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
log.debug(sm.getString("opensslconf.checkCommand", name,
value));
}
try (var localArena = Arena.ofConfined()) {
- // rc = SSLConf.check(confCtx, name, value);
if (name.equals("NO_OCSP_CHECK")) {
rc = 1;
} else {
@@ -406,7 +401,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private boolean applyConf(OpenSSLConf conf) throws Exception {
boolean result = true;
- // SSLConf.assign(confCtx, sslCtx);
SSL_CONF_CTX_set_ssl_ctx(state.confCtx, state.sslCtx);
OpenSSLConfCmd cmd;
String name;
@@ -425,7 +419,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
log.debug(sm.getString("opensslconf.applyCommand", name,
value));
}
try (var localArena = Arena.ofConfined()) {
- // rc = SSLConf.apply(confCtx, name, value);
if (name.equals("NO_OCSP_CHECK")) {
noOcspCheck = Boolean.parseBoolean(value);
rc = 1;
@@ -529,7 +522,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
success = addCertificate(certificate, localArena);
- // SSLContext.setVerify(state.ctx, value,
sslHostConfig.getCertificateVerificationDepth());
// Client certificate verification
int value = 0;
switch (sslHostConfig.getCertificateVerification()) {
@@ -563,7 +555,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// by the server during the handshake to allow the client
choosing
// an acceptable certificate
for (X509Certificate caCert :
state.x509TrustManager.getAcceptedIssuers()) {
- //SSLContext.addClientCACertificateRaw(state.ctx,
caCert.getEncoded());
var rawCACertificate =
localArena.allocateFrom(ValueLayout.JAVA_BYTE, caCert.getEncoded());
var rawCACertificatePointer =
localArena.allocateFrom(ValueLayout.ADDRESS, rawCACertificate);
var x509CACert = d2i_X509(MemorySegment.NULL,
rawCACertificatePointer, rawCACertificate.byteSize());
@@ -577,9 +568,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
} else {
// Client certificate verification based on trusted CA files
and dirs
- //SSLContext.setCACertificate(state.ctx,
- //
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
- //
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null
?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: null;
MemorySegment caCertificatePathNative =
sslHostConfig.getCaCertificatePath() != null
@@ -609,8 +597,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
if (state.negotiableProtocols != null &&
state.negotiableProtocols.size() > 0) {
- // int openSSLCallbackAlpnSelectProto(MemoryAddress ssl,
MemoryAddress out, MemoryAddress outlen,
- // MemoryAddress in, int inlen, MemoryAddress arg
SSL_CTX_set_alpn_select_cb(state.sslCtx,
SSL_CTX_set_alpn_select_cb$cb.allocate(new
ALPNSelectCallback(), contextArena), state.sslCtx);
}
@@ -946,10 +932,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
keyPassToUse = keyPass;
}
// Set certificate
- //SSLContext.setCertificate(state.ctx,
- //
SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
- //
SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
- // certificate.getCertificateKeyPassword(),
getCertificateIndex(certificate));
byte[] certificateFileBytes = null;
try (Resource resource =
ConfigFileLoader.getSource().getResource(certificate.getCertificateFile())) {
certificateFileBytes =
resource.getInputStream().readAllBytes();
@@ -1145,8 +1127,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
log.error(sm.getString("openssl.errorLoadingCertificate",
certificate.getCertificateChainFile()), e);
return false;
}
- // SSLContext.setCertificateChainFile(state.ctx,
- //
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
MemorySegment certificateChainBytesNative =
localArena.allocateFrom(ValueLayout.JAVA_BYTE, certificateChainBytes);
MemorySegment certificateChainBIO = BIO_new(BIO_s_mem());
try {
@@ -1177,11 +1157,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
// Set revocation
- //SSLContext.setCARevocation(state.ctx,
- // SSLHostConfig.adjustRelativePath(
- //
sslHostConfig.getCertificateRevocationListFile()),
- // SSLHostConfig.adjustRelativePath(
- //
sslHostConfig.getCertificateRevocationListPath()));
MemorySegment certificateStore =
SSL_CTX_get_cert_store(state.sslCtx);
if (sslHostConfig.getCertificateRevocationListFile() != null) {
MemorySegment x509Lookup =
X509_STORE_add_lookup(certificateStore, X509_LOOKUP_file());
@@ -1221,9 +1196,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
StringBuilder sb = new StringBuilder(BEGIN_KEY);
sb.append(Base64.getMimeEncoder(64, new byte[]
{'\n'}).encodeToString(x509KeyManager.getPrivateKey(alias).getEncoded()));
sb.append(END_KEY);
- //SSLContext.setCertificateRaw(state.ctx, chain[0].getEncoded(),
- // sb.toString().getBytes(StandardCharsets.US_ASCII),
- // getCertificateIndex(certificate));
var rawCertificate =
localArena.allocateFrom(ValueLayout.JAVA_BYTE, chain[0].getEncoded());
var rawCertificatePointer =
localArena.allocateFrom(ValueLayout.ADDRESS, rawCertificate);
var rawKey = localArena.allocateFrom(ValueLayout.JAVA_BYTE,
sb.toString().getBytes(StandardCharsets.US_ASCII));
@@ -1272,7 +1244,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
for (int i = 1; i < chain.length; i++) {
- //SSLContext.addChainCertificateRaw(state.ctx,
chain[i].getEncoded());
var rawCertificateChain =
localArena.allocateFrom(ValueLayout.JAVA_BYTE, chain[i].getEncoded());
var rawCertificateChainPointer =
localArena.allocateFrom(ValueLayout.ADDRESS, rawCertificateChain);
var x509certChain = d2i_X509(MemorySegment.NULL,
rawCertificateChainPointer, rawCertificateChain.byteSize());
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 9ac43a7be6..76541ebe59 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1096,7 +1096,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
case REQUIRE -> SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
case OPTIONAL -> certificateVerificationOptionalNoCA ?
OpenSSLContext.OPTIONAL_NO_CA : SSL_VERIFY_PEER();
};
- // SSL.setVerify(state.ssl, value, certificateVerificationDepth);
// Set int verify_callback(int preverify_ok, X509_STORE_CTX
*x509_ctx) callback
int value = switch (mode) {
case NONE -> SSL_VERIFY_NONE();
@@ -1209,7 +1208,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
private static int processOCSP(MemorySegment /*X509_STORE_CTX*/ x509ctx) {
int ocspResponse = V_OCSP_CERTSTATUS_UNKNOWN();
- // ocspResponse = ssl_verify_OCSP(x509_ctx);
MemorySegment x509 = X509_STORE_CTX_get_current_cert(x509ctx);
if (!MemorySegment.NULL.equals(x509)) {
// No need to check cert->valid, because ssl_verify_OCSP() only
@@ -1322,7 +1320,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
return V_OCSP_CERTSTATUS_UNKNOWN();
}
MemorySegment buf = bufPointer.get(ValueLayout.ADDRESS, 0);
- // HTTP request with the following header
+ // HTTP request with the following header:
// POST urlPath HTTP/1.1
// Host: urlHost:urlPort
// Content-Type: application/ocsp-request
@@ -1534,7 +1532,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
if (!clientMode) {
// if used on the server side
SSL_get_peer_cert_chain(...) will not include the remote peer certificate.
// We use SSL_get_peer_certificate to get it in this
case and add it to our array later.
- //
// See
https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html
clientCert = getPeerCertificate();
} else {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
